Chip-Level Spying Has a Long History Under the Chinese Regime

By Joshua PhilippOctober 5, 2018

Customers walk past an Apple logo inside of an Apple store at Grand Central Station in New York on Aug. 1, 2018. (Reuters/Lucas Jackson).

News Analysis

If Chinese spy chips were found in the hardware of Apple and Amazon (they were according to a report by Bloomberg; the two companies deny their servers were compromised), this should have been expected. There’s a long history of cases like this.

The Senate Armed Services Committee warned of this threat in May 2012, and found over 1 million counterfeit parts is U.S. military systems—largely from China.

Here’s a quote from that report: “The investigation uncovered dozens of examples of suspect counterfeit electronic parts in critical military systems, including on thermal weapons sights delivered to the Army, on mission computers for the Missile Defense Agency’s Terminal High Altitude Area Defense (THAAD) missile, and on a large number of military airplanes.”

This was also just the tip of the iceberg. Remember in 2013 that Chinese spy chips were found in electric kettles and irons being sent to Russia. They would search for unsecured WiFi connections, then call home.

Also remember that in 2011, recording devices were found in all dual-plate Chinese-Hong Kong vehicles, which were installed by China’s Shenzhen Inspection and Quarantine Bureau.

In June 2010, Chinese-made memory cards in Olympus Stylus Tough cameras were found to be infected computers. The same virus was found in memory cards of Samsung smartphones.

And similar embedded threats were found in Chinese-made TomTom GPS systems and other devices that were being sold at places including Best Buy, Target, and Sam’s Club. A list of cases could go on for a while.

Among the more serious cases was the “Zombie Zero” threat that was uncovered in 2014 by TrapX.

TrapX found that a Chinese company had installed spy software in handheld scanning devices used for global shipping.

The infected devices in the “Zombie Zero” case gave Chinese spies access to all corporate financial data, customer data, and shipping data on the infected systems and also complete situational awareness of global shipping and logistics operations.

The U.S. government tried addressing the threat of embedded breaches in the supply chain through a law passed in the 2014 U.S. federal budget that requested a review of products purchased by federal agencies.

China’s Ministry of Commerce of course didn’t like this very much. It released a statement soon after saying the U.S. policy would “have a negative effect on Chinese companies, besides harming the interests of U.S. firms.”

Chinese state news outlet Global Times even claimed the United States should “correct its mistaken ways” after the law was passed.

A similar program was passed in the private sector around the same time, called the Open Trusted Technology Provider Standard Accreditation Program, but was likely sabotaged in attempts to appease the Chinese regime.

Included in its 422 members were 11 groups based in China, where most of these threats originated.

They likely knew this as well. This followed the Armed Services Committee report that said “China is the dominant source country for counterfeit electronic parts that are infiltrating the defense supply chain.”

The same Senate report said, “The Chinese government has failed to take steps to stop counterfeiting operations that are carried out openly in that country.”

Going by the recent case, it doesn’t look like the public or private program did much good.

The list of threats like this could go on for some time. What we’re seeing with threats from Chinese chip makers is an ongoing problem that the U.S. government and major companies are aware of, yet have not properly addressed.